I've been working on understanding rules in pf.conf and I've made some progress, but I don't pretend to really get it all yet. I've been trying to define some groupings among our users in order to allow traffic from only some users to some ports. My basic plan is to have rank and file users be served DHCP addresses from the firewall box, and have blocks of static addresses that will be given privileges as needed. Tables of IP addresses stored in files seems like the cleanest way to define these groupings.

Problem is that I can't seem to make a simple example work.

I've set up a closed test network, one PC with an http server, a site at port 80 and another at 81. That machine sits on the "outside" lan connected to my firewall's rl0 NIC, the other one which is serving as client sits on the inside on rl1.

I want "everyone" to be able to get to port 80 on the outside, but only developers to be able to get to 81.

I tried making the <developers> table a simple single IP address (you can see that attempt commented out, did not work either). Developers contains

Code:

192.168.0.8
192.168.0.9
192.168.0.10

Sorry if this is a totally stupid mistake. I have a feeling that it is and I don't want to waste anybody's time, but I'm just not finding anything that points me to what's wrong. And I've spent a stupid amount of time trying to figure it out. (Some of the rules you see are based on wild-ass guesses from multiple attempts to conjure a solution out of what the log is spitting out as the connection request for port 81 fails).